Data Integrity and Security Policy for Cloud-Stored Customer Data

1. Introduction

This document outlines Evident's approach to maintaining the integrity and security of customer data stored within cloud environments. It is part of a broader IT Governance, Risk, and Compliance (GRC) and Information Security Management System (SMS) Program designed to align with internationally recognized frameworks and legal requirements. The policy supports our commitment to safeguarding customer data against unauthorized access, alteration, or loss, while ensuring its accuracy and availability throught the data lifecycle.

2. Purpose

The purpose of this policy is to define the security measures and control objectives that govern customer data managed in cloud-based platforms. It establishes clear roles and responsibilities, supports risk mitigation strategies, and ensures compliance with applicable data protection regulations and standards, including ISO 27001, CIS v8, and Zero Trust principles, as well as Philippine DPA, HIPAA, and PIPEDA.

3. Scope

This policy applies to all Evident employees, contractors, and third-party service providers who handle or manage customer data hosted in cloud environments. It covers structured and unstructured data in all forms and lifecycle stages, from collection to secure disposal.

4. Governance and Reulatory Alignment

Evident’s data protection controls are structured according to the following reference frameworks and regulatory requirements:

• ISO/IEC 27001 for governance, risk management, and continuous improvement
• CIS Controls v8 and Zero Trust Architecture for layered technical safeguards
• Philippine Data Privacy Act (DPA), HIPAA, and PIPEDA for legal and jurisdictional compliance

This policy is embedded within the larger ISMS and IT GRC framework and complements other organizational policies and procedures.

5. Core Principles

Evident’s approach to data integrity and security is based on key principles that guide all aspects of design, implementation, and governance:

• Confidentiality: Ensuring data access is restricted to authorized individuals only
• Integrity: Safeguarding the accuracy, completeness, and trustworthiness of data
• Availability: Maintaining timely access to data for authorized users
• Accountability: Defining and enforcing roles and responsibilities
• Transparency: Informing data subjects about the handling and protection of their information
• Least Privilege Granting the minimum level of access necessary
• Defense in Depth: Applying multiple layers of security across all systems and processes

6. Data Classification

Evident classifies customer data to determine appropriate levels of protection. This classification supports risk-based controls throughout the data lifecycle:

• Public Data: Information that may be shared without negative consequences
• Internal Data: For internal use only; unauthorized access has minimal impact
• Confidential Data: Disclosure may result in business or reputational harm
• Sensitive Customer Data: Includes PII, PHI, and financial information; loss or compromise may cause significant harm

Classification informs the enforcement of access controls, encryption, retention, and monitoring.

7. Data Integrity Controls

Evident maintains robust processes to ensure data remains accurate, consistent, and trustworthy:

• Input Validation: Data inputs are validated at entry points to prevent errors and malicious activity
• Access Controls: Only authorized personnel may after data, based on defined roles
• Audit Trails: All data modifications are logged with user, timestamp, and context details
• Backups: Regular, automated backups are performed, with off-site storage and routine recovery tests
• Data Reconciliation: Periodic checks are conducted across systems to identify discrepancies
• Error Handling: Structured mechanisms prevent and respond to errors during processing

These measures collectively ensure data quality and enable recovery in case of corruption or loss.

8. Data Security Controls

8.1 Identity and Access Management

Access to cloud environments is governed by identity-based controls. Evident enforces multi-factor authentication, role-based access, and timely access reviews. Access rights are adjusted promptly upon personnel changes, and strong password policies are applied.

8.2 Encryption

All customer data is encrypted:

• At Rest: Encryption is enforced on cloud storage systems to prevent errors and malicious activity
• In Transit: Data transfers occur over secure channel (e.g. TLS 1.2+)
• In Use: For highly sensitive data, encryption is applied during active processing

Key and certificate management is conducted in secure, segregated environments with restricteed access.

8.3 Network Security

Cloud infrastructure is segmented into virtual networks and subnets, with strict access controls applied at network boundaries. Firewalls and security groups are configured to allow only essential communication, while advanced protections like intrusion detection, DDoS mitigation, and private endpoints are used to reduce exposure to external threats.

8.4 Vulnerability Management

Vulnerability scanning is routinely conducted across infrastructure and applications. Penetration testing is performed periodically by independent parties, and patches are applied in accordance with risk-based service levels.

8.5 Incident Response

A formal incident response plan is in place and tested regulaly. All personnel are required to report suspected security events, and incident communication protocols ensure stakeholders and regulators are notified as required by law.

8.6 Logging and Monitoring

Security-relevant events are centrally logged and monitored in near real-time. Logs are analyzed using correlation rules to detect anomalies, and alerts are investigated by trained personnel to ensure timely remediation.

8.7 Cloud provider Oversight

Evident conducts due diligence on cloud providers, ensuring they meet required standards and maintain appropriate certifications. Contracts clearly outline shared responsibilities, audit rights, and incident notification obligations.

9. Data Retention and Secure Disposal

Customer data is retained only for as long as necessary to meet legal, contractual, and business requirements. When no longer needed, data is securely destroyed using crytographic erasure and deletion methods.
Destruction is verified and recorded in audit logs.

10. Roles and Responsibilities

Responsibility for data protection is shared across the organization:

• Executive Leadership: Endorses this policy and supports GRC initiatives
• Data Protection & Security Team: Oversees implementation and compliance
• Cloud & Infrastructure Team: Maintains secure technical environments
• Developers: Apply security-by-design principles during application development
• All Staff and Contractors: Must adhere to this policy and report incidents
• Third-Party Providers: Bound by contract to comply with Evident’s security expectations

11. Compliance and Assurance

This policy supports Evident’s alignment with major standards and regulatory frameworks. Internal reviews and audits are conducted to measure adherence and identify opportunities for improvement. External assessments may be conducted upon request or to meet partner requirements.

12. Review and Maintenance

The policy is reviewed annually, or when there are changes in technology, regulation, or organizational priorities. Updates are approved by the security governance committee and communicated to relevant stakeholders.

13. Key Definitions